Privacy - New California Security Breach Notification Requirements Set Standard Core Content for Notification Letters

Posted on January 27, 2012 by Timothy Moroney

The purpose of this alert is twofold: (1) to remind our clients that both federal and state law requires financial institutions and most businesses to safeguard their customers’ information; and (2) to advise of new requirements for security breach notification letters.

by Timothy Moroney and Dawn Valentine

In 2002, California adopted a first-in-the-nation security breach notification statute (AB 700, Simitian) (the “Security Breach Notification Law”).

The Security Breach Notification Law requires companies that do business in California and retain their customer’s personal information to notify individuals when there has been a data breach involving their personal information. 

Background

Since 2002, 45 other states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have also enacted security breach notification laws that are modeled upon California’s Security Breach Notification Law. Only Alabama, Kentucky, New Mexico and South Dakota do not have security breach notification laws.

Moreover, 14 states (Hawaii, Iowa, Maryland, Massachusetts, Minnesota, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming) and Puerto Rico have built upon California’s model and added more detailed requirements for security breach notifications to include certain types of information.  

Further, the federal government has weighed in. As of February 19, 2009, for breaches of personal medical information, individuals have to be notified and those notifications must contain certain specified content.

Still further, most of these states require a business that suffers a security breach to notify a state regulator, such as the Attorney General, in addition to the affected individuals (Alaska, Hawaii, Louisiana, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia).  

SB 24 Data Breach Notification

Accordingly, not to be outdone as the leader in consumer protection, effective January 1, 2012, California adopted new requirements (SB 24 – amending Civil Code sections 1798.29 and 1798.82) for what information must be put in a security breach notification letter. 

The purpose underlying these new requirements is to close a gap that has been identified – the old requirements simply required data holders to notify individuals when there had been a data breach involving personal information but were silent on what information should be contained in the notification.

As a result, security breach notification letters varied greatly in the information provided leaving consumers confused and not providing answers to the questions of what information was breached, when did the breach occur, and what consumers should do to protect themselves.

Moreover, businesses were left exposed and uncertain of what was expected of them in the event of a breach.  

The new requirements fill this gap by establishing standard, core content for the notification letters. Specifically, the new law requires that security breach notification letters, at a minimum, contain the following information:

  1. The name and contact information of the reporting agency, person, or business;
  2. A list of the types of personal information that was compromised or the subject of the breach;
  3. Any of the following, if the information is possible to determine at the time the notice is provided: the date or estimated date of the breach, or date range within which the breach occurred;
  4. The date of the notice;
  5. Whether the notification was delayed because of an investigation by law enforcement, if the information is possible to determine at the time the notice is provided;
  6. A general description of the breach incident, if the information is possible to determine at the time the notice is provided; and
  7. The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number, or a driver’s license or California Identification Card number.

This new law also provides that an agency, person, or business may also include the following information in a security breach notification, at its discretion:

  1. Information regarding what the entity has done to protect individuals whose information has been breached; and
  2. Advice on steps that the individual may take to protect himself or herself.

The new requirements also obligate any agency, person, or business that is required to provide a security breach notification to more than 500 California residents as a result of a single breach of the security system to submit a single sample copy of the notification electronically to the California Attorney General. That copy shall not be considered to be a record of complaint or investigation under the California Public Records Act.

The purpose of this alert is twofold: (1) to remind our clients that both federal and state law requires financial institutions and most businesses to safeguard their customers’ information; and (2) to advise of new requirements for security breach notification letters.

Generally, safeguarding standards applicable to financial institutions and most businesses require the creation and implementation of a comprehensive written information security program that includes administrative, technical and physical safeguards to: (1) ensure the security and confidentiality of customer information; (2) protect against anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information. 

Since security breaches catch the attention of the big media, if you are not in compliance with your safeguarding obligations now is the time to come into compliance. 

If you have any questions or comments about your safeguarding obligations, please don’t hesitate to contact Tim Moroney at (415) 743-3713; tmoroney@bargerwolen.com or Dawn Valentine at (415) 743-3731; dvalentine@bargerwolen.com
Tags: , , , , , , , , ,

The California Supreme Court Reiterates Analysis for Determining Whether a Statutory Violation Confers a Private Cause of Action

Posted on August 10, 2010 by James Castle

Yesterday, the California Supreme Court issued its unanimous opinion in Lu v. Hawaiian Gardens Casino, Inc., in which the high court found that a specific Labor Code provision could not be enforced by private litigants. This opinion is important in that it reiterates important cases and analyses that can be used to defeat a plaintiff’s attempt to set forth a private cause of action where no such right was intended by the legislature. Unfortunately, however, the Supreme Court declined to further address the question of whether a statute that cannot independently confer a private cause of action can still be utilized as a predicate for a cause of action under the “unlawful” prong of the Unfair Competition Laws (“UCL”).

Louie Lu (“Lu”) was a card dealer at the Hawaiian Islands Casino in Southern California. As a dealer, he was provided tips. However, not all of the tips were his to keep. Instead, he was required to provide 15% to 20% of his tips to a community fund that was then split among other employees who were offering services to the card players, but were not as routinely tipped as the dealers (i.e., floormen, poker tournament coordinators, concierges, etc.)

The tip pool policy specifically prohibited managers and supervisors from receiving any money from the pool. This exclusion of managerial persons from sharing in the tips is important, as Labor Code Section 351 prohibits an employer from taking, collecting or receiving employees’ tips. However, California courts have long-held that the pooling of tips to be split amongst like-situated employees, such as waiters and waitresses on the same shift, is not a violation of Section 351. Similarly, courts have held that the pooling of tips in the casino setting when those tips are spread among the non-managerial staff is perfectly acceptable and not a violation of Section 351. Lu contended that “agents” of the casino (presumably managerial employees) were improperly sharing in the pooled tips, and set forth causes of action for violation of Section 351 and Section 17200 of the UCL. 

The trial court dismissed both causes of action. As to the Section 351 claim, the trial court found that the section did not provide a private cause of action, as the enforcement of that provision was explicitly provided solely to the Department of Industrial Relations. The trial court likewise found that the UCL claim must also be dismissed because Section 351 could not serve as a predicate for the “unlawful prong” of the UCL unless it could be enforced in a private cause of action, and since it could not, the UCL cause of action too could not be maintained. Lu appealed.

The appellate court agreed with the trial court that Lu could not assert a private cause of action under Section 351 itself. However, the appellate court disagreed with the trial court by finding that Section 351 could still afford Lu a private cause of action by using it as a predicate for the “unlawful” prong of the UCL. More specifically, the Court of Appeal held:

Nevertheless, Lu alleged a cause of action under the UCL for violation of Labor Code sections 351 and 450. “Virtually any law -- federal, state or local -- can serve as a predicate for an action under Business and Professions Code section 17200. The UCL is a proper avenue for Lu to challenge violations of these Labor Code provisions.

The California Supreme Court accepted Lu’s petition for review on the sole question of whether Section 351 itself afforded a private right of action – leaving the Court of Appeal’s ruling that the section can be utilized as a predicate for a UCL claim in limbo (as the entire Court of Appeal decision became depublished when the petition for review was accepted on the Section 351 issue). 

The Supreme Court’s opinion provides a lengthy analysis of why Section 351 does not provide a private right of action on its own; citing with approval a number of case (including Moradi-Shalal v. Fireman’s Fund, Vikco Insurance Services Inc.  v. Ohio Indemnity Co., Crusader v. Scottsdale Insurance Co. and Middlesex Ins. Co. v. Mann) that Barger & Wolen attorneys have utilized to argue that a plaintiff does not have a private cause of action for perceived violations of the Insurance Code, including sections 790.03 and 1763. The Supreme Court decision in Lu provides additional fodder to combat plaintiffs who seek to expand the civil enforcement of statutory provisions by the private litigants where no such right was intended. 

While the Supreme Court chose not to address the UCL aspects that were presented by the conflicting trial and appellate court decisions, that fight will surely return to California’s high court on another day.   

Barger & Wolen attorneys have significant experience is defending UCL claims in state and federal court, as well as presenting arguments against plaintiffs’ attempts to assert private causes of action based on Insurance Code statutes.

 
Tags: , , , , , , , , , , , ,